From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from tb-mx0.topicbox.com (localhost.local [127.0.0.1]) by tb-mx0.topicbox.com (Postfix) with ESMTP id 6BF442AC17D2 for <9fans@9fans.net>; Sun, 7 Jun 2020 09:56:35 -0400 (EDT) (envelope-from eekee57@fastmail.fm) Received: from tb-mx0.topicbox.com (localhost [127.0.0.1]) by tb-mx0.topicbox.com (Authentication Milter) with ESMTP id 49108EE00F7; Sun, 7 Jun 2020 09:56:35 -0400 ARC-Seal: i=1; a=rsa-sha256; cv=none; d=topicbox.com; s=arcseal; t= 1591538195; b=qgr8E8s6SbR6NnQ1L7vOJSyWK1S5sPdpK6mFOEtUMtsgUg3kjX 0sOn7rbI84k4cbYxhAvcqXxlH5LN2+WA+xkIiUrs6ocSNzMRdKAIg0Ld4Lx0GiFH fIBbcltzegoAjw4pWqbHi3xO873xwRwUdCDnVSM1MFZAqx7bFsFUHaoDgyiGz57y TkS4yk/iyoNwsuOHrCVMkzwz3Le195s4JLK5J4LntS/YKvbSvC1Rm8HU0D9VBT0b sdQ1Gfndpk7uqyNg1m94D1IntBn2lGNc+UtW6YYXbnBnxQu+0+LWUGWwR0CNVeYn 9EgzzHJJrsMiBK8EaGlcPD6kw0K9O8N5oNRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=mime-version:message-id:in-reply-to:references :date:from:to:subject:content-type; s=arcseal; t=1591538195; bh= EFtwbTrT2tg2fbohR9qXQl4zXdODM9N0IchELXk0xLg=; b=m3ohfwJLxY6ROJt7 2ZyBO+d2D3qmp5GSGSBKIDn+CYRjQRBBf9dkmdkre9YaMjFzW6FXWYp3J8IAtCbh Wz368DMFZGKPMAPJIwwUbGohQjEv8mNiBjlgnSo9VfoOxtwKH7w24YWznY/gbHc7 cwFVRoZh+qNRHgAaOVa2Lsrp4n6kh3bg+bQ57TnygRLTz37IBHHgkS3oH6gyFJMg d8pLSm0XXTL+rDf0RXSIVgnCozsW8p1sx+t4fC4/cZGQ6CGnIbHjtPCg1awuiqkG /X3KIySiSnnDEc953jaVsQbK0uHbgrMnI5mSo5eLdWj4XucqpNAl3rfz/WG7K/w3 U5jrKw== ARC-Authentication-Results: i=1; tb-mx0.topicbox.com; arc=none (no signatures found); bimi=none (Domain is not BIMI enabled); dkim=pass (2048-bit rsa key sha256) header.d=fastmail.fm header.i=@fastmail.fm header.b=f3JIpjs2 header.a=rsa-sha256 header.s=fm3 x-bits=2048; dkim=pass (2048-bit rsa key sha256) header.d=messagingengine.com header.i=@messagingengine.com header.b=trImNhB+ header.a=rsa-sha256 header.s=fm3 x-bits=2048; dmarc=pass policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=fastmail.fm; iprev=pass smtp.remote-ip=64.147.123.20 (wout4-smtp.messagingengine.com); spf=pass smtp.mailfrom=eekee57@fastmail.fm smtp.helo=wout4-smtp.messagingengine.com; x-aligned-from=pass (Address match); x-ptr=pass smtp.helo=wout4-smtp.messagingengine.com policy.ptr=wout4-smtp.messagingengine.com; x-return-mx=pass header.domain=fastmail.fm policy.is_org=yes (MX Records found: in1-smtp.messagingengine.com,in2-smtp.messagingengine.com); x-return-mx=pass smtp.domain=fastmail.fm policy.is_org=yes (MX Records found: in1-smtp.messagingengine.com,in2-smtp.messagingengine.com); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=-100 state=0 Authentication-Results: tb-mx0.topicbox.com; arc=none (no signatures found); bimi=none (Domain is not BIMI enabled); dkim=pass (2048-bit rsa key sha256) header.d=fastmail.fm header.i=@fastmail.fm header.b=f3JIpjs2 header.a=rsa-sha256 header.s=fm3 x-bits=2048; dkim=pass (2048-bit rsa key sha256) header.d=messagingengine.com header.i=@messagingengine.com header.b=trImNhB+ header.a=rsa-sha256 header.s=fm3 x-bits=2048; dmarc=pass policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=fastmail.fm; iprev=pass smtp.remote-ip=64.147.123.20 (wout4-smtp.messagingengine.com); spf=pass smtp.mailfrom=eekee57@fastmail.fm smtp.helo=wout4-smtp.messagingengine.com; x-aligned-from=pass (Address match); x-ptr=pass smtp.helo=wout4-smtp.messagingengine.com policy.ptr=wout4-smtp.messagingengine.com; x-return-mx=pass header.domain=fastmail.fm policy.is_org=yes (MX Records found: in1-smtp.messagingengine.com,in2-smtp.messagingengine.com); x-return-mx=pass smtp.domain=fastmail.fm policy.is_org=yes (MX Records found: in1-smtp.messagingengine.com,in2-smtp.messagingengine.com); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=-100 state=0 X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgeduhedrudegledgjedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh htshculddquddttddmnecujfgurhepofgfggfkjghffffhvffutgesthdtredtreertden ucfhrhhomhepfdfgthhhrghnucfirghruggvnhgvrhdfuceovggvkhgvvgehjeesfhgrsh htmhgrihhlrdhfmheqnecuggftrfgrthhtvghrnhepffdvtdehgeekfeefgfeufeejudet vdfggfffkefgjefhteekgeevjedvfeeuueeinecukfhppeeigedrudegjedruddvfedrvd dtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepieegrddugeej rdduvdefrddvtddphhgvlhhopeifohhuthegqdhsmhhtphdrmhgvshhsrghgihhnghgvnh hgihhnvgdrtghomhdpmhgrihhlfhhrohhmpeeovggvkhgvvgehjeesfhgrshhtmhgrihhl rdhfmhequcfukfgkgfepheejgeekpdhmrghilhhfrhhomhepvggvkhgvvgehjeesfhgrsh htmhgrihhlrdhfmh X-ME-VSScore: -100 X-ME-VSCategory: clean Received-SPF: pass (fastmail.fm: Sender is authorized to use 'eekee57@fastmail.fm' in 'mfrom' identity (mechanism 'include:spf.messagingengine.com' matched)) receiver=tb-mx0.topicbox.com; identity=mailfrom; envelope-from="eekee57@fastmail.fm"; helo=wout4-smtp.messagingengine.com; client-ip=64.147.123.20 Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by tb-mx0.topicbox.com (Postfix) with ESMTPS for <9fans@9fans.net>; Sun, 7 Jun 2020 09:56:35 -0400 (EDT) (envelope-from eekee57@fastmail.fm) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id EF75B346 for <9fans@9fans.net>; Sun, 7 Jun 2020 09:56:33 -0400 (EDT) Received: from imap35 ([10.202.2.85]) by compute1.internal (MEProxy); Sun, 07 Jun 2020 09:56:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm3; bh=EFtwbTrT2tg2fbohR9qXQl4zXdODM9N 0IchELXk0xLg=; b=f3JIpjs2TWrkfENyg/wi4M5raWFM2jZoozanThTN+Rh4QNx jIxBEmDpuMou5V8NEv1PbpelpM6DwLXB4DGFE+hdvBrw9aQgSlyutqYBzP3Pcqp2 MaRl0YUU7IanlBaYZIldmI/YotflCYZRnln8tsP2fGNaWdWpJ0481jQHNHHr8AmM dJccKBJYhwzBJTM4uWOv1WqPvMgZtOZBd1kI2na1nzjD9fDm9FWUZK2o7LEmXU9M bNrRDZQ+PYvvcy0ATp79ZE0Q4vNAs7Iy2J+PnYXedcYvh/o01TM4TDrJaM4g4P6k 0TtuB7re4dtWOJvolAwMUc9uuQxs1gToCFZ3Y1w== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=EFtwbT rT2tg2fbohR9qXQl4zXdODM9N0IchELXk0xLg=; b=trImNhB+r4e9aQbRKwj8S4 g0A4Fcvv4Z+7beRKbz8GlgmleZ/+wjjtB2Gxes8g6rh8MgYZrNWi5G8QYjyEyr2F +EPw2XNjhHfWoKW/33m6mkmiJgMPqIktR4Abc2Zabir/ONA1R9sDUH6eGZtejMsZ FrOUoSsEIWgLkZOlLVjkjoPBqLY6gNmgG3SK7+JMeEEBBxjJE806WLbhJMzg6hIA xxZSORYPFPHfTaMhMEpeJTnQnXFRwFbosmw6krSmBO4ID9n8FX44j1RhqpT1Y5Cs 53crzGuqqiIZXZ2GMVhaQ+ggjeJnH8WujGSPZny8zLs/Scp6TsZ1+9hg6Bf/wxig == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrudegledgjeduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgesthdtredtreertdenucfhrhhomhepfdfgthhh rghnucfirghruggvnhgvrhdfuceovggvkhgvvgehjeesfhgrshhtmhgrihhlrdhfmheqne cuggftrfgrthhtvghrnhepffdvtdehgeekfeefgfeufeejudetvdfggfffkefgjefhteek geevjedvfeeuueeinecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilh hfrhhomhepvggvkhgvvgehjeesfhgrshhtmhgrihhlrdhfmh X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 3DC8714C007C; Sun, 7 Jun 2020 09:56:33 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.3.0-dev0-519-g0f677ba-fm-20200601.001-g0f677ba6 Mime-Version: 1.0 Message-Id: <92f9c753-600a-44e5-b877-3ed8d578ea15@www.fastmail.com> In-Reply-To: References: <235881e7dc602196b9845c4d10c211a8@hamnavoe.com> <33fdd954-db9a-4273-a0ac-907f07b42499@www.fastmail.com> Date: Sun, 07 Jun 2020 14:56:13 +0100 From: "Ethan Gardener" To: "g_patrickb via 9fans" <9fans@9fans.net> Subject: Re: [9fans] `test -x` returns wrong results for directories Content-Type: text/plain Topicbox-Policy-Reasoning: allow: sender is a member Topicbox-Message-UUID: b5f14b48-a8c6-11ea-a809-9461f6824673 On Sat, Jun 6, 2020, at 2:25 PM, Charles Forsyth wrote: > execute permission on files, meaning here non-directories, is a special variant of read. a file with mode 0111 can be opened with OEXEC and read(2) will work as well as exec(2), > but can't be opened with OREAD, because it's not got any of 0444 set. bits 0111 distinguish a file with contents that are intended to be executed once read from files with only 0444 that do not contain executable content. > you wouldn't want every readable file to be executable (especially if you've used systems that didn't have that distinction). > on the other hand, in a distributed file system, the client needs the contents of the file to run it (whether code or #!script) so it needs to be able to read files with just OEXEC. > I suppose the rule could have been that it would need mode 5 (r+x) to make clear that the file was also readable, but it isn't. > > that OEXEC allows reading isn't true for a directory because exec means "search", so if it's mode 0111 (say) you can chdir into it but not read the names within it. > if you know a name of a file in that directory, though, you can still open that. that's entirely enforced by the server. > > as the bug in access(2) suggests, only the server knows whether access should be granted, and the open call gets it to do that, > but it doesn't work for OEXEC for directories as others have noted. perhaps stat+chdir is the most accurate test, since you need x (search) permission to walk(5) into a directory, > but the caller won't thank you for the chdir (and there's no easy or certain way back), and ... that restriction isn't enforced by fossil or ramfs. (ramfs wrongly allows you to read a directory that's mode 0.) > > probably the best thing is just to ignore the owner/group/other distinction, and if the open(...OEXEC) fails, dirstat it, and if it's a directory with any of 0111 set, it's fine (a little better than now). thanks for the analysis, charles. the dirstat you suggest wouldn't do any good for my case because rc-httpd runs as user none. the common problem it's trying to catch is a directory which isn't world-readable & world-searchable. 770 750 and 700 are common permissions. perhaps i should have rc-httpd just run the commands and test their status rather than trying to test ahead of time, but this would somewhat spoil the neat and simple design.